Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database_nss_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <cert.h>
+#include <certdb.h>
 #include <pk11pub.h>
 
 #include <algorithm>
 
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/lazy_instance.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
 #include "base/string16.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/cert_database.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
 #include "net/base/cert_verify_proc.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-namespace psm = mozilla_security_manager;
+// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
+// the new name of the macro.
+#if !defined(CERTDB_TERMINAL_RECORD)
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
 
 namespace net {
 
 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is
 // fixed, switch back to using a separate userdb for each test.
 // (When doing so, remember to add some standalone tests of DeleteCert since it
 // won't be tested by TearDown anymore.)
 class CertDatabaseNSSTest : public testing::Test {
  public:
   static void SetUpTestCase() {
@@ skipping 60 matching lines @@
   }
 
   scoped_refptr<CryptoModule> slot_;
   CertDatabase cert_db_;
 
  private:
   static bool CleanupSlotContents(PK11SlotInfo* slot) {
     CertDatabase cert_db;
     bool ok = true;
     CertificateList certs = ListCertsInSlot(slot);
+    CERTCertTrust default_trust = {0};
     for (size_t i = 0; i < certs.size(); ++i) {
+      // Reset cert trust values to defaults before deleting.  Otherwise NSS (at
+      // least 3.12.9, but not 3.13.4) somehow seems to remember the trust which
+      // can break following tests.

[wtc, 2012/05/30 00:19:24]

We should track down exactly which NSS change caused this.

Between NSS 3.12.9 and NSS 3.13.4, there are the following
NSS releases:

NSS_3_12_9_1_RTM
NSS_3_12_10_RTM
NSS_3_12_11_RTM
NSS_3_13_RTM
NSS_3_13_1_RTM
NSS_3_13_2_RTM
NSS_3_13_3_RTM

Could you narrow down the version range in which this
behavior changed?  If you don't have time, I can do this
bisection.

[wtc, 2012/05/30 00:39:54]

I happened to see this CERT_ChangeCertTrust call in Mozilla's
nsNSSCertificateDB::DeleteCertificate:
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSC...

Could it be related?

[mattm, 2012/05/30 22:40:58]

Okay, after further testing I had narrowed it down but began to wonder if it was
due to the parts of tests being disabled on older versions of NSS.  Indeed, it
just turns out that with the tests being fully run that particular state didn't
occur.  If I made the tests follow the same path in newer NSS, or wrote a test
specifically to check for this, it does happen in all NSS versions I tested.

I'll update the comment and check in as is, we can decide separately if we want
to handle deletion differently.

+      SECStatus srv = CERT_ChangeCertTrust(
+          CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
+      if (srv != SECSuccess)
+        ok = false;
+
       if (!cert_db.DeleteCertAndKey(certs[i]))
         ok = false;
     }
     return ok;
   }
 };
 
 TEST_F(CertDatabaseNSSTest, ListCerts) {
   // This test isn't terribly useful, though it will at least let valgrind test
   // for leaks.
@@ skipping 143 matching lines @@
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
   EXPECT_EQ(CertDatabase::TRUSTED_SSL,
             cert_db_.GetCertTrust(cert.get(), CA_CERT));
 
-  psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
-  EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
-  EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
-  EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
-  EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE));
-  EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
+                     CERTDB_TRUSTED_CLIENT_CA),
+            cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->objectSigningFlags);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "root_ca_cert.crt",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
 
   // Import it.
   CertDatabase::ImportCertFailureList failed;
   EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL,
                                      &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
   EXPECT_EQ(CertDatabase::TRUSTED_EMAIL,
             cert_db_.GetCertTrust(cert.get(), CA_CERT));
 
-  psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
-  EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
-  EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
-  EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
-  EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
+                     CERTDB_TRUSTED_CLIENT_CA),
+            cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->objectSigningFlags);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "root_ca_cert.crt",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
 
   // Import it.
   CertDatabase::ImportCertFailureList failed;
   EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN,
                                      &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
   EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN,
             cert_db_.GetCertTrust(cert.get(), CA_CERT));
 
-  psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
-  EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
-  EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
-  EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
-  EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
+                     CERTDB_TRUSTED_CLIENT_CA),
+            cert->os_cert_handle()->trust->objectSigningFlags);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "google.single.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
 
   // Import it.
@@ skipping 73 matching lines @@
   EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
   CertificateList certs;
   ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
 
   // Import it.
   CertDatabase::ImportCertFailureList failed;
-  EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed));
+  EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT,
+                                     &failed));
 
   ASSERT_EQ(1U, failed.size());
   EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
   // TODO(mattm): should check for net error equivalent of
   // SEC_ERROR_UNTRUSTED_ISSUER
   EXPECT_EQ(ERR_FAILED, failed[0].net_error);
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
@@ skipping 57 matching lines @@
 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
   // Need to import intermediate cert for the verify of google cert, otherwise
   // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
   // will cause OCSPCreateSession on the main thread, which is not allowed.
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "google.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(2U, certs.size());
 
   CertDatabase::ImportCertFailureList failed;
-  EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
+                                        &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(2U, cert_list.size());
   scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
   scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
   EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
   EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
 
-  EXPECT_EQ(CertDatabase::UNTRUSTED,
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
             cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT));
-  psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust);
-  EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+
+  EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags);
 
   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(goog_cert, "www.google.com", flags,
                                       NULL, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
   CertificateList certs;
   ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
 
   CertDatabase::ImportCertFailureList failed;
-  EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
+                                        &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
 
-  EXPECT_EQ(CertDatabase::UNTRUSTED,
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
             cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
-  psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
-  EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags);
 
   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
                                       NULL, &verify_result);
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
-
-  // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not
-  // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160
-  EXPECT_TRUE(cert_db_.SetCertTrust(
-      puny_cert.get(), CA_CERT,
-      CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL));
-
-  verify_result.Reset();
-  error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
-                                  NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
+  // When using CERT_PKIXVerifyCert (which we do), server trust only works from
+  // 3.13.4 onwards.  See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
+  if (!NSS_VersionCheck("3.13.4")) {
+    LOG(INFO) << "test skipped on NSS < 3.13.4";
+    return;
+  }
+
+  CertificateList certs;
+  ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
+
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL,
+                                        &failed));
+
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
+
+  EXPECT_EQ(CertDatabase::TRUSTED_SSL,
+            cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
+  EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
+            puny_cert->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags);
+
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
+                                      NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
+  CertificateList ca_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "root_ca_cert.crt",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import CA cert and trust it.
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
+                                        &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  // Server cert should verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
+  // Explicit distrust only works starting in NSS 3.13.
+  if (!NSS_VersionCheck("3.13")) {
+    LOG(INFO) << "test skipped on NSS < 3.13";
+    return;
+  }
+
+  CertificateList ca_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "root_ca_cert.crt",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import CA cert and trust it.
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert without inheriting trust from issuer (explicit
+  // distrust).
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::DISTRUSTED_SSL, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::DISTRUSTED_SSL,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
+            certs[0]->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(0L, certs[0]->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(0L, certs[0]->os_cert_handle()->trust->objectSigningFlags);

[wtc, 2012/05/30 00:19:24]

sslFlags, emailFlags, and objectSigningFlags are of the type
unsigned int.  So it seems that the 0 constants should have
the suffix U, if they need a suffix.

[mattm, 2012/05/30 22:40:58]

oops, fixed.

+
+  // Server cert should fail to verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
+  CertificateList ca_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-root.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import Root CA cert and distrust it.
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList intermediate_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, intermediate_certs.size());
+
+  // Import Intermediate CA cert and trust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
+                                     CertDatabase::TRUSTED_SSL, &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::TRUST_DEFAULT, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  // Server cert should verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Explicit distrust only works starting in NSS 3.13.
+  if (!NSS_VersionCheck("3.13")) {
+    LOG(INFO) << "test partially skipped on NSS < 3.13";
+    return;
+  }
+
+  // Trust the root cert and distrust the intermediate.
+  EXPECT_TRUE(cert_db_.SetCertTrust(
+      ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL));
+  EXPECT_TRUE(cert_db_.SetCertTrust(
+      intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL));
+  EXPECT_EQ(
+      unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
+      ca_certs[0]->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            ca_certs[0]->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
+  EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
+            intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
+  EXPECT_EQ(unsigned(CERTDB_VALID_CA),
+            intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
+  EXPECT_EQ(
+      unsigned(CERTDB_VALID_CA),
+      intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
+
+  // Server cert should fail to verify.
+  CertVerifyResult verify_result2;
+  error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result2);
+  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
+  CertDatabase::ImportCertFailureList failed;
+
+  CertificateList intermediate_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, intermediate_certs.size());
+
+  // Import Intermediate CA cert and trust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
+                                     CertDatabase::TRUSTED_SSL, &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::TRUST_DEFAULT, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  // Server cert should verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Without explicit trust of the intermediate, verification should fail.
+  EXPECT_TRUE(cert_db_.SetCertTrust(
+      intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
+
+  // Server cert should fail to verify.
+  CertVerifyResult verify_result2;
+  error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result2);
+  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
+  CertDatabase::ImportCertFailureList failed;
+
+  CertificateList ca_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-root.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import Root CA cert and default trust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList intermediate_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, intermediate_certs.size());
+
+  // Import Intermediate CA cert and trust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
+                                     CertDatabase::TRUSTED_SSL, &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::TRUST_DEFAULT, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  // Server cert should verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Without explicit trust of the intermediate, verification should fail.
+  EXPECT_TRUE(cert_db_.SetCertTrust(
+      intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
+
+  // Server cert should fail to verify.
+  CertVerifyResult verify_result2;
+  error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result2);
+  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
+  // Explicit distrust only works starting in NSS 3.13.
+  if (!NSS_VersionCheck("3.13")) {
+    LOG(INFO) << "test skipped on NSS < 3.13";
+    return;
+  }
+
+  CertDatabase::ImportCertFailureList failed;
+
+  CertificateList ca_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-root.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import Root CA cert and trust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList intermediate_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, intermediate_certs.size());
+
+  // Import Intermediate CA cert and distrust it.
+  EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
+                                     CertDatabase::DISTRUSTED_SSL, &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::TRUST_DEFAULT, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  // Server cert should not verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
+
+  // Without explicit distrust of the intermediate, verification should succeed.
+  EXPECT_TRUE(cert_db_.SetCertTrust(
+      intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
+
+  // Server cert should verify.
+  CertVerifyResult verify_result2;
+  error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result2);

[wtc, 2012/05/30 00:19:24]

Nit: indentation of the arguments is wrong.  The other unit
tests have the same problem.

[mattm, 2012/05/30 22:40:58]

Done.

+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result2.cert_status);
 }
 
 }  // namespace net